Description
A missing authorization flaw was found in the OpenShift Cluster Logging Operator. The operator creates and forwards ServiceAccount tokens to output destinations without verifying that the ClusterLogForwarder creator has permission to use those credentials, allowing a delegated editor to exfiltrate SA tokens and escalate privileges.
Published: 2026-06-23
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization flaw in the OpenShift Cluster Logging Operator allows a user with delegated editor permissions to create a ClusterLogForwarder that forwards ServiceAccount tokens to arbitrary external destinations. The operator does not verify that the cluster log forwarder creator is authorized to use those credentials, permitting exfiltration of service account tokens and the potential use of those tokens for additional cluster access. The vulnerability is a classic example of improper authorization, identified as CWE‑862.

Affected Systems

The flaw affects the Red Hat Logging Subsystem for Red Hat OpenShift, specifically the OpenShift Cluster Logging Operator component. The affected product is identified as Red Hat Logging 6; no further version granularity is available in the listing.

Risk and Exploitability

The CVSS score of 6.8 classifies the issue as moderate, indicating a non‑trivial threat. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting low immediate exploit pressure. The likely attack vector is the creation of a ClusterLogForwarder object by an attacker with delegated editor rights; the operator will then forward the service account token to an external endpoint, enabling credential theft and potentially privilege escalation if those tokens grant broad cluster access. The risk is moderate to high in environments where delegated editors can create ClusterLogForwarder resources or where service account tokens have wide cluster permissions.

Generated by OpenCVE AI on June 24, 2026 at 11:57 UTC.

Remediation

Vendor Workaround

Restrict ClusterLogForwarder write access to trusted administrators only. Review existing ClusterRoleBindings and RoleBindings that grant clusterlogforwarders write permission. Apply NetworkPolicy egress restrictions to the collector namespace to prevent collector pods from reaching arbitrary external endpoints. Deploy admission controller policies (OPA/Gatekeeper/Kyverno) to deny CLF resources whose outputs point to non-allowlisted URLs. Monitor for ClusterLogForwarder resources with outputs pointing to external URLs, especially those using token.from: serviceAccount.


OpenCVE Recommended Actions

  • Restrict ClusterLogForwarder write access to only trusted administrators by reviewing and tightening ClusterRoleBindings and RoleBindings for write permissions.
  • Deploy NetworkPolicy egress restrictions in the collector namespace to block collector pods from reaching arbitrary external endpoints.
  • Deploy admission controller policies (OPA/Gatekeeper/Kyverno) to deny ClusterLogForwarder resources whose outputs point to non‑allowlisted URLs.

Generated by OpenCVE AI on June 24, 2026 at 11:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Tue, 23 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat logging Subsystem For Red Hat Openshift
Vendors & Products Redhat logging Subsystem For Red Hat Openshift

Tue, 23 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description A missing authorization flaw was found in the OpenShift Cluster Logging Operator. The operator creates and forwards ServiceAccount tokens to output destinations without verifying that the ClusterLogForwarder creator has permission to use those credentials, allowing a delegated editor to exfiltrate SA tokens and escalate privileges.
Title Openshift/cluster-logging-operator: cluster logging operator creates and forwards serviceaccount tokens without verifying clf creator authorization
First Time appeared Redhat
Redhat logging
Weaknesses CWE-862
CPEs cpe:/a:redhat:logging:6
Vendors & Products Redhat
Redhat logging
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N'}


Subscriptions

Redhat Logging Logging Subsystem For Red Hat Openshift
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-23T13:58:28.816Z

Reserved: 2026-06-02T11:48:09.073Z

Link: CVE-2026-10609

cve-icon Vulnrichment

Updated: 2026-06-23T13:58:26.254Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-23T09:00:00Z

Links: CVE-2026-10609 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:00:05Z

Weaknesses